Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
748
Views
0
Helpful
6
Replies

Port level restriction with site-to-site VPN connection

mahavirsj
Level 1
Level 1

‎03-15-2004 03:43 AM

Is it possible to put port level restriction while using site-to-site VPN.

I have not been able to setup port level restrictions for hosts while configuring site-to-site VPN.

Cisco PIX 515E, ver 6.3

crypto map map1 1 ipsec-isakmp

crypto map map1 1 match address ACL_CRYPT

crypto map map1 1 set <peer PEER_IP>

crypto map map1 1 set transform-set Transform_set

crypto map map1 1 set security-association lifetime seconds 10800 kilobytes 4608000

access-list ACL_CRYPT permit tcp host a.b.c.d host i.j.k.l eq 23

ISAKMP parameters..........

Am I missing something in the above config.

Or is this a limitation of Cisco PIX.

Thanks

Regards

Mahavir

Labels:
0 Helpful
6 Replies 6

Not applicable

‎03-24-2004 07:01 AM

You need a extended access list to do what you require.

0 Helpful

mahavirsj
Level 1
Level 1
In response to

‎03-24-2004 08:24 AM

I have used an extended list but still its not working.Do I need to do anything else other than this.

Pls help

Thanks

Regards

Mahavir

0 Helpful

mahavirsj
Level 1
Level 1
In response to

‎03-24-2004 08:24 AM

I have used an extended list but still its not working.Do I need to do anything else other than this.

Pls help

Thanks

Regards

Mahavir

0 Helpful

jasobrown
Level 1
Level 1
In response to mahavirsj

‎03-24-2004 10:21 AM

The Pix does not support defining interesting traffic by port level. If you need to filter at this level use acls on the outside interface and disable sysopt connection permit-ipsec.

0 Helpful

mahavirsj
Level 1
Level 1
In response to jasobrown

‎03-25-2004 09:34 AM

Will disabling sysopt connection permit ipsec will affect my site-to-site VPN tunnel in any way.I know that sysopt connection command is used to permit only VPN ports between two participating peers.

So if I have an ACL applied on the outside interface I need to add the IP address on this ACL as well as the ACL for whcih I am defining the VPN interesting traffic & for this to work I need to disable sysopt command.

Did I understand that correctly

Thanks

Reagrds

Mahavir

0 Helpful

jasobrown
Level 1
Level 1
In response to mahavirsj

‎03-25-2004 01:27 PM

I think that you have it.

Basically if your inside is 192.168.100.0 /24 and the remote side is 10.1.1.0 /24 then you would have the following in your access-list on the outside interface.

access-list outside permit tcp 10.1.1.0 255.255.255.0 192.168.100.0 255.255.255.0 eq 23

This would allow the user to telnet to anything on your network (192.168.100.0 /24)

Or you could even just say host to host..

access-list outside permit tcp host x.x.x.x host y.y.y.y eq 23 just like you would anything else.

0 Helpful
Customers Also Viewed These Support Documents